﻿/*----------------------------------------------------------------
// Copyright (C) 2009 dusonchen
// 版权所有。 
//
// 文件名：
// 文件功能描述：
//
// 
// 创建标识：2009-3-22 23:08:13
//
// 修改标识：
// 修改描述：
//
// 修改标识：
// 修改描述：
//----------------------------------------------------------------*/

using System;
using System.Collections.Generic;
using System.Text;

using System.Text.RegularExpressions;
using System.Web;

namespace DusonFramework.Core.Web.Text
{
    /// <summary>
    /// 
    /// </summary>
    public class Filter
    {
        private string FilterStrings(string strInput)
        {
            //setup up list of search terms as items may be used twice
            string tempInput = strInput;
            List<string> listStrings = new List<string>();
            listStrings.Add("<script[^>]*>.*?</script[^><]*>");
            listStrings.Add("<input[^>]*>.*?</input[^><]*>");
            listStrings.Add("<object[^>]*>.*?</object[^><]*>");
            listStrings.Add("<embed[^>]*>.*?</embed[^><]*>");
            listStrings.Add("<applet[^>]*>.*?</applet[^><]*>");
            listStrings.Add("<form[^>]*>.*?</form[^><]*>");
            listStrings.Add("<option[^>]*>.*?</option[^><]*>");
            listStrings.Add("<select[^>]*>.*?</select[^><]*>");
            listStrings.Add("<iframe[^>]*>.*?</iframe[^><]*>");
            listStrings.Add("<ilayer[^>]*>.*?</ilayer[^><]*>");
            listStrings.Add("<form[^>]*>");
            listStrings.Add("</form[^><]*>");
            listStrings.Add("javascript:");
            listStrings.Add("vbscript:");
            listStrings.Add("alert.*\\(?\'?\"?\'?\"?\\)");

            RegexOptions options = RegexOptions.IgnoreCase | RegexOptions.Singleline;
            string strReplacement = " ";
            foreach (string s in listStrings)
            {
                tempInput = Regex.Replace(tempInput, s, strReplacement, options);
            }

            //check if text contains encoded angle brackets, if it does it we decode it to check the plain text
            if (tempInput.Contains("&gt;") == true && tempInput.Contains("&lt;") == true)
            {
                //text is encoded, so we check with an encoded version of the strings
                foreach (string s in listStrings)
                {
                    tempInput = Regex.Replace(tempInput, HttpContext.Current.Server.HtmlEncode(s), strReplacement, options);
                }
            }

            return tempInput;

        }

        ///-----------------------------------------------------------------------------
        /// <summary>
        /// This function verifies raw SQL statements to prevent SQL injection attacks
        /// and replaces a similar function (PreventSQLInjection) from the Common.Globals.vb module
        /// </summary>       
        private string FormatRemoveSQL(string strSQL)
        {

            string strCleanSQL = strSQL;

            if (strSQL != null)
            {

                Array BadCommands = ";,--,create,drop,select,insert,delete,update,union,sp_,xp_".Split(',');

                // strip any dangerous SQL commands
                int intCommand;
                for (intCommand = 0; intCommand <= BadCommands.Length - 1; intCommand++)
                {
                    strCleanSQL = Regex.Replace(strCleanSQL, Convert.ToString(BadCommands.GetValue(intCommand)), " ", RegexOptions.IgnoreCase);
                }

                // convert any single quotes
                strCleanSQL = strCleanSQL.Replace("\'", "\'\'");
            }

            return strCleanSQL;

        }
    }
}
